Net gains or net losses: How cybersecurity impacts M&A

Bryce Boland, Chief Technology Officer for Asia Pacific, FireEye

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

For organisations around the world, mergers and acquisitions continue to be one of the core paths to grow a business and expand into new markets. In the U.S., just during April and May there were almost 2,000 M&A events, while in Asia Pacific, M&A activity reached a record US$367.7 billion value during the first six months of 2015.

The numbers are equally impressive elsewhere in the world. In Europe, M&A activity increased by 37 percent over the first six months of 2015. Add to that Bloomberg Business' forecast that M&A activity in Europe will climb more than an additional 14 percent over the next six months, and you see that M&A activity is as robust as it is universal.

That's a lot of activity. How does cybersecurity fit in?

A compromised organisation presents two major threats that can significantly change the value of an acquisition target:

First, if a company is an acquisition target based on the value of their intellectual property, a compromise could mean that valuable intellectual property is no longer exclusively theirs. Once a breach occurs, competitors could already have the most valuable data and it could impact the value of acquiring the company.

Second, if an attack group has breached an organisation, once the acquisition process begins, it becomes significantly easier for the attack group to gain access to the systems across both companies. This can be in through social engineering of email-based attacks coming from new "trusted" contacts, or as IT systems are integrated technical barriers are removed that make lateral movement easier.

The worst-case scenario of acquiring a compromised organisation is losing the competitive advantage of making the acquisition and compromising your organisation in the process.

When due diligence is undertaken a great deal of research goes into to understanding the market, assets, people, liabilities, customers, and technology of the target organisation. But one question usually isn't asked: "Is this organisation breached?

And that's a really valuable question to ask. Because when you know if the target is breached, it may change the value of the target. And it may alter the perception of shareholders, regulators and the board as to whether they should acquire that company.

If the value of the acquisition is tied to the intellectual property it holds, is that IP as valuable if attackers may have stolen it? If the value is tied to the confidentiality of the customer base, is that reduced if the customer data may be for sale on the dark web?

Most successful businesses place a significant value on their brand and reputation. In 2014, many of the top brands in the world had a greater value than their annual revenues. If the reputation of your brand is damaged by a cybersecurity breach, it could have a significant impact on the balance sheet. And if you acquire a breached company before the breach becomes public, when it does become public the breach could damage your (now combined) companies' reputation and brand equity.

In a recent study of global M&A deal makers, 78 percent believe cybersecurity is not analysed in great depth during due diligence. This despite 83 percent reporting they believe a deal could be abandoned if a cybersecurity breach was identified, and 90 percent saying a breach would reduce the value of the deal. In Europe, 39 percent of respondents believe cybersecurity inspection should be part of due diligence, rising to 51 percent in the U.S.

But no matter where you're based, a compromise assessment should be a basic part of your M&A process. This can give you assurance that the target acquisition is not currently breached, that you aren't acquiring a target that could compromise brand, IP or data. It can also give you a powerful lever in negotiations over the value of the business.

The cyber savvy executive really can make money using bad news about a cyber breach. A compromise assessment could give you the best return on investment in your business career.